A blog to share security, networking and cloud related technology information as @vCloudernBeer picked up on his search for his destiny in the cloud. (LinkedIn: https://www.linkedin.com/in/chowanthony)

Monday, August 17, 2015

A New Chapter in Docker Networking

Docker networking is entering a new chapter.Networking is one of the pillar for modern day IT infrastructure and lots of work are done by various networking equipment vendor to provide a stable and fast network. Recently, there is also the movement of Software Defined Network (SDN) as well as the Network Function Virtualization (NFV). In the traditional client and server model, the traffic pattern is mostly "north-south traffic" (between the server and the clients). With Docker where most of the time it is being used to deploy Micro-Services, there is a need for the containers to talk to one another both within the same host or across multiple hosts. This changed the traffic pattern and the demand for the network is changed to add "east-west traffic" (traffic between hosts).

Docker Inc has done a good job on Docker in packaging container but the networking support is a bit primitive. I had a blog post on Docker Networking options last year and before that I had another post describing what Docker container is and that VMware is not against but embracing this container technologies. And of course there is Project Bonneville that is in technology preview state where VMware is making Docker containers to work just like a virtual machine in the vSphere environment so as to take advantage of the "enterprise ready" features of vSphere such as Distributed Resource Scheduler, vMotion and the benefit of the lightweight, fast provisioning characteristic of Docker container.Native Docker Networking

On startup Docker creates a Ethernet Bridge docker0 on the Linux Kernel

docker0 creates a virtual subnet on the Docker host

Docker creates a pair of virtual Ethernet interface on each container

One of the Ethernet interface is the eth0 in the container

Another Ethernet interface will have a unique name in the form of veth* (e.g.vethABI3IC) and is bind to docker0

The native Docker networking was simple and is designed as a single-host solution. Native Docker networking does not scale well which is against Docker container use cases. Docker Networking from 3rd parties

As mentioned on my blog post from last year there are solutions/projects in development to solve or to improve Docker networking. These solutions are:

Weave

Kubernetes

Flannel

Pipework

SocketPlane <-now part of Docker Inc.

For detail description of these solutions you can take a look at here or hereWhile these solutions are useful and has its use cases, they are all external to Docker.Docker's latest Networking SolutionOn April 30, 2015, Docker announced an open source project - libnetwork.libnetworkLibnetwork is an open source project and can be found in GitHub here.

This "libnetwork" is a library that can provide native support for Docker container and its function is to connect containers. This library is written in the Go language. According to GitHub, "libnetwork project will follow Docker and Linux philosophy of developing
small, highly modular and composable tools that works well
independently.
Libnetwork aims to satisfy that composable need for Networking in
Containers."Libnetwork implements the Container Network Model is is the work of various networking partners of Docker Inc such as Cisco, IBM, Microsoft, Joynet, Rancher, VMware and Weave.

The most important aspect for libnetwork is that it uses a driver/plugin model. In the pass, Docker networking is handle by libcontainer and Docker Engine and now with libnetwork it can provide a single interface via the form of an API. Container Network ModelThis model has 3 main components:

SandBox

Endpoint

Network

image source: https://blog.docker.com/media/2015/04/cnm-model.jpg

This architecture diagram of Container Network Model is pretty self-explanatory. Again, GitHub has good information about what these 3 elements are:

SandboxA Sandbox contains the configuration of a container's network stack.
This includes management of the container's interfaces, routing table and DNS settings.
An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept.
A Sandbox may contain many endpoints from multiple networks.EndpointAn Endpoint joins a Sandbox to a Network.
An implementation of an Endpoint could be a veth pair, an Open vSwitch internal port or similar.
An Endpoint can belong to only one network but may only belong to one Sandbox.NetworkA Network is a group of Endpoints that are able to communicate with each-other directly.
An implementation of a Network could be a Linux bridge, a VLAN, etc.
Networks consist of many endpoints.Why is libnetwork so special?
Libnetwork is indeed very special that I called this a new chapter for Docker networking.

We have seen that libnetwork provides a single interface for networking. The significant of a single interface is that libnetwork can be present a plugin for external networking solutions. This is similar to the Neutron project for OpenStack where 3rd party networking solutions can be use.

Both VMware and Cisco has already jump into this band wagon with their respective NSX and ACI networking solution to provide a robust networking solution for mulit-host container communication.

Beside a robust networking solution, being able to use 3rd party networking solutions is also able to provide Docker containers security and layer 4 - 7 network functions features such as firewall and load-balancer. Security is an important aspect for all deployment in any environment. Both VMware's NSX and Cisco's ACI implements Micro-segmentation which is to provide a distributed firewall with extended rules. These extended firewall rules allows user to define security policies beyond the traditional network attributes based rules. My next post will be on Micro-segmentation.Note: libnetwork is still under heavy development and is listed as experimental in Docker 1.7. Please check GitHub for the latest status as things are going in a fact pace.Reference:https://github.com/docker/libnetwork/blob/master/docs/design.md"Docker/libnetwork." GitHub. N.p., n.d. Web. 17 Aug. 2015.

12 comments:

The information you have given here is truly helpful to me. CCNA- It’s a certification program based on routing & switching for starting level network engineers that helps improve your investment in knowledge of networking & increase the value of employer’s network.Regards,ccna training in Chennai|ccna training institute in Chennai

Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog. CCNA Training in Chennai